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Abstract 

The  paper  proposes  a  modular  framework  for  the  verification  of  temporal  logic  properties 
of  systems  based  on  the  deductive  transformation  and  composition  of  diagrams.  The  diagrams 
represent  abstractions  of  the  modules  composing  the  system,  together  with  information  about 
the  environment  of  the  modules.  The  proof  of  a  temporal  specification  is  constructed  with  the 
help  of  diagram  transformation  and  composition  rules,  which  enable  the  gradual  decomposition 
of  the  system  into  manageable  modules,  the  study  of  the  modules,  and  the  final  combination  of 
the  diagrams  into  a  proof  of  the  specification.  We  illustrate  our  methodology  with  the  modular 
verification  of  a  database  demarcation  protocol. 

1  Introduction 

One  of  the  challenges  of  formal  verification  is  to  propose  verification  methodologies  that  are  able 
to  handle  not  only  simple  examples,  but  also  realistic  systems.  Modular  verification  frameworks 
propose  to  address  this  issue  by  providing  the  means  of  decomposing  the  original  system  into 
modules  of  manageable  size,  studying  each  module  separately,  and  composing  the  results  into 
a  proof  of  the  correctness  of  the  whole  system.  In  this  paper,  we  introduce  a  formal  verification 
formalism  based  on  the  deductive  transformation  and  composition  of  diagrams.  The  aim  is  to  obtain 
a  methodology  that  combines  the  modular  approach  to  verification  with  the  visual  representation, 
the  gradual  proof  construction  and  the  provision  of  proof  guidance  made  possible  by  diagrams. 

The  modular  verification  approach  that  we  follow  is  based  on  the  assume-guarantee  paradigm 
of  Abadi  and  Lamport  [AL90].  In  this  paradigm,  the  system  is  partitioned  into  modules,  which 
are  studied  with  the  help  of  assumptions  about  their  environment.  These  assumptions,  which  must 
have  the  form  of  safety  properties,  usually  specify  restrictions  to  the  possible  state  transitions  of  the 
module’s  environment.  Once  these  assumptions  are  validated  by  an  analysis  of  the  other  modules, 
the  properties  of  the  modules  are  combined  into  a  correctness  proof  for  the  whole  system. 

The  modular  diagrams  used  in  this  paper  belong  to  the  family  originated  by  the  proposal  of 
[MP94],  later  generalized  by  [BMS95];  another  proposal  using  diagrams  for  the  illustration  of  proofs 
is  [Lam94] .  In  particular,  this  work  represents  a  synthesis  and  an  extension  to  modular  verification 
of  the  proposals  [dAM96,  SUM96].  The  diagrams  provide  a  visual  representation  of  the  behavior 
of  system  modules  and  their  environment:  they  consist  in  graphs  whose  vertices  are  labeled  with 
assertions,  and  whose  edges  are  labeled  with  transition  formulas;  additional  components  specify 
the  progress  properties  that  have  been  proved  about  them. 

The  proof  that  a  system  satisfies  a  temporal  specification  is  constructed  by  applying  a  set  of 
transformation  rules  to  two  initial  diagrams,  one  representing  the  system  and  the  other  representing 
the  negation  of  the  specification.  There  are  several  classes  of  rules:  modular  rules  split  the  system 
or  one  of  its  modules  into  submodules;  safety,  progress  and  simplification  rules  are  used  to  study 
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the  diagrams;  a  composition  operator  is  used  to  compose  diagrams  for  different  modules  into  a 
single  diagram.  The  aim  of  this  process  is  to  obtain  a  diagram  that  can  be  algorithmically  shown 
to  have  empty  language:  by  construction,  this  implies  that  all  the  behaviors  of  the  original  system 
satisfy  the  specification.  The  structure  of  the  proof  process,  and  of  the  composition  operator,  are 
reminiscent  of  the  proposal  of  [GL94]  for  the  modular  verification  of  finite-state  systems. 

Integrating  the  modular  framework  with  the  use  of  diagrams  makes  it  possible  to  generate  the 
environment  assumptions  in  a  simple  and  often  automatic  way  during  the  study  of  each  module, 
and  to  discard  them  automatically  during  the  composition  of  modules.  The  same  operator  also 
provides  guidance  for  proof  refinement  in  the  case  in  which  the  environment  assumptions  cannot  be 
validated:  further  guidance  can  be  obtained  from  an  automatic  analysis  of  the  diagrams,  combining 
the  insights  of  [dAM96,  SUM96,  dAKM97].  Our  approach  also  leads  to  an  increased  flexibility  of 
the  process  of  modular  analysis:  the  modules  can  be  dynamically  decomposed  into  submodules 
and  recomposed  during  the  construction  of  the  proof,  enabling  a  need-driven  decomposition  of 
modules.  We  illustrate  our  methodology  with  the  modular  verification  of  a  protocol  to  enforce 
data  constraints  on  distributed  databases. 

2  Preliminaries 

Transition  systems.  Given  a  set  V  of  variables,  we  denote  by  form(V)  the  set  of  well-formed 
first-order  formulas  whose  free  variables  are  among  V.  Our  computational  model  is  that  of  a 
transition  system  (TS)  S  =  (V,  T,  O,  J,  C),  where  V  is  a  set  of  typed  state  variables,  T  is  a  set 
of  transitions,  O  E  form(V)  is  a  satisfiable  initial  condition,  J  C  T  contains  the  just  (weakly 
fair)  transitions,  and  C  C  T  contains  the  compassionate  (strongly  fair)  transitions.  A  state  s  is 
a  type-consistent  interpretation  of  V,  and  S  denotes  the  set  of  all  states.  A  transition  r  E  T  is  a 
function  r  :  S  E  2s,  and  is  represented  by  a  transition  formula  pr  E  /orm(V,V/)  that  expresses 
the  relation  between  the  values  of  V  in  the  current  state  and  those  in  the  next  state,  referred  to 
by  V'  =  \x'  |  x  E  V}.  Given  a  formula  (j)  E  form(V),  we  denote  with  <//  the  formula  obtained  by 
replacing  each  x  E  V  with  x' .  For  r  E  T,  the  enabling  condition  En(r )  of  r  is  defined  by  31/  .  pT. 
The  set  T  must  include  the  idle  transition  with  transition  relation  pTidie  :  I\x<ev{x  —  x'). 

The  language  C(S)  of  a  transition  system  S  =  (V,  T,  0,  J,  C)  consists  of  all  the  infinite  sequences 
of  states  sq,  si,  $2,  ■  ■  ■  E  such  that  so  satisfies  0,  for  every  Si,  Sj+i  there  exists  r  E  T  such  that 
(sj,Sj+i)  |=  pT,  and  the  fairness  conditions  are  respected  [MP91].  Note  that  C(S)  /  0,  since  0  is 
satisfiable  and  Ttcue  E  T. 

Specification  language:  linear-time  temporal  logic.  The  system  specifications  are  written  in 
the  language  TLS  consisting  of  first-order  linear-time  temporal  logic  formulas  in  which  no  temporal 
operator  appears  in  the  scope  of  a  quantifier.  The  formulas  of  TLS  are  thus  obtained  by  combining 
first-order  logic  formulas  by  means  of  the  future  temporal  operators  O  (next),  □  (always),  O 
(eventually),  U  (until),  and  the  corresponding  past  ones  ©,  □,  O  and  S  [MP91]. 

Example:  demarcation  protocol.  We  illustrate  the  proposed  methodology  by  verifying  a 
safety  property  of  the  protocol  shown  in  Figure  1.  The  protocol  is  a  more  parallel  version  of 
the  demarcation  protocol  presented  in  [BGM92],  and  is  used  to  maintain  linear  arithmetic  consis¬ 
tency  constraints  in  a  distributed  database  while  minimizing  communication  costs  between  sites. 
In  the  example  shown  we  have  two  sites,  with  data  variables  x  and  y.  and  we  need  to  maintain  the 
constraint  x  <  y.  The  demarcation  protocol  shown  maintains  two  safe  limits  X[  and  yp  Site  1  (Site 
2)  can  modify  x  (y)  independently  as  long  as  it  stays  below  xi  (above  y{).  When  a  site,  e.g.  Site  1, 
wishes  to  go  beyond  the  safe  limit,  it  asks  permission  from  Site  2  to  increase  the  limit  xi.  If  the  new 
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:  channel  of  integer 


Site  i 

local  x ,  xi  :  integer  where  x  =  0,  xi 

"  Requestori 

local  xg ,  xw  :  integer  where  xg  - 
local  ax  :  boolean 

to',  loop  forever  do 
t\\  produce  xw 

</if  xw  <  xi 

then  ( x,ax )  :=  (a:w,F) 

\  else  ax  :=  T 
£ 3 :  if  ax  then 

Ia'-  a  (xw  —  xi ) 

t3:  a  =>  Xg 

to:  (xi,xg)  :=  (xi  +  xg,  0) 

L  £7:  {{if  xw  <  X[  then  x  := 


local  y,yi  :  integer  where  y  =  0.  yi  =0 

r  Requestor  2 

local  yg,yw  '■  integer  where  yg  =  0 
local  av  :  boolean 


ko'.  loop  forever  do 
k\ :  produce  yw 

//if  yi  <  yw 

k2:  {{  then  (y,av)  :=  (yw,  F) 
\\  else  ay  :=  T 


k3:  if 

av  then 

kA 

P<=(yi-  yw) 

fc5 

P=>yg 

ko 

(yuys)  ■=  ( yi  ~ysF) 

k7 

{{if  yi  <  yw  then  y  : 

Granton 

local  xr .  xv  :  integer 

where  xr  >  0,  xp  =  0 
mo:  loop  forever  do 

mi:  fi  =>  xr 

H  if  xi  —  Xr  >  X 

m2:  ((  then  ( xi,xp )  :=  ( xi  —xr,xr) 


m3:  /3  <=  xp 


Grantor2 

local  yr  ■  yp  :  integer 

where  yT  >  0,  yv  =  0 
no:  loop  forever  do 

m :  ce=>  yr 

II  if  yi  +  yr  <y 

n2:ii  then  (yi,yp)  :=  ( yi  +yr,yr) 
\\  else  yp  :=  0 
.  n3:  a  <=  yp 


Figure  1:  Demarcation  protocol 


limit  is  still  below  y,  Site  2  will  grant  the  request  (and  update  its  own  limit  yi):  otherwise  it  will 
deny  it.  The  conversion  of  this  program  to  a  fair  transition  system  S(i  is  straightforward  (see  also 
[MP91]).  Each  statement  gives  rise  to  a  transition;  the  statements  enclosed  by  angle  brackets  are 
interpreted  as  atomic  statements.  For  example,  the  transition  relation  for  the  statement  labeled  by 
is  (xw  <  xi  A  x'  =  xw  A  a'x  =  false)  V  (xw  >  xi  A  a'x  =  true).  We  will  verify  that  the  protocol 
satisfies  the  temporal  specification  U[x  <  xi  <  yi  <  y). 

3  Modular  Diagrams 

The  diagrams  used  in  this  paper  are  derived  from  the  fairness  diagrams  of  [dAM96].  A  diagram 
A  =  (U,  V,  V.  F.  E.  /1. 0,  v.  tr.  F)  for  a  TS  S  consists  of  the  following  components: 

1.  A  subset  WCf  indicating  the  transitions  that  are  studied  by  diagram  A. 

2.  A  set  V  of  typed  variables. 

3.  A  set  V  of  vertices,  and  two  disjoint  sets  F.  E  of  edges,  with  associated  functions  tl ,  hd  :  FUE 

V  that  give  the  source  (tail)  tl(e)  and  the  target  (head)  hd(e)  of  each  edge  e  E  F  U  E.  The 
edges  in  F.  called  system  edges ,  represent  subsets  of  the  set  U  of  transitions;  the  edges  in  E, 
called  environment  edges ,  represent  the  transitions  in  T  —  U. 
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4.  Two  mappings  p,9  :  V  H>  form(V)  that  associate  with  each  vertex  n  E  V  a  formula  ji(v)  (resp. 
9(v))  denoting  the  states  (resp.  initial  states)  associated  with  n. 

5.  A  mapping  u  :  F  U  E  t-A  form(V,V'),  which  associates  with  each  edge  e  E  F  U  E  a  transition 
formula  v{e). 

6.  A  mapping  tr  :  F  U  E  ha  27",  labeling  each  edge  e  E  F  U  E  with  the  subset  of  transitions  it 
represents.  We  require  that  tr(e)  C  U  for  e  E  F.  and  tr(e)  =  T  —  U  for  e  E  E. 

7.  A  fairness  set  T,  consisting  of  triples  of  the  form  {J,  C,  G),  where  J,C  :  V  h-A  form,(V )  and 
G  :  F  (->•  2U.  For  e  E  F  we  require  that  G(e)  C  tr(e).  Each  triple,  called  a  fairness  constraint , 
is  used  to  represent  a  fairness  property  of  the  diagram,  as  will  be  explained  below. 

Given  u,v  E  V  and  a  set  FI  of  edges,  we  denote  by  H(u)  =  {e  E  H  \  tl(e )  =  u}  and  H(u,v)  =  {e  E 
H  |  tl(e)  =  u  A  hd(e)  =  v}  the  set  of  edges  from  u ,  and  from  u  to  v,  respectively. 

A  location  of  a  diagram  is  a  pair  (v,  s)  :  v  E  V,  s  |=  p(v)  composed  of  a  vertex  and  of  a 

corresponding  state.  A  run  of  a  diagram  is  an  infinite  sequence  of  locations  (no,  so),  (ni,si), 
(u2,S2),  •  •  • ,  such  that  so  |=  9(vo),  and  for  alii  >  0  there  is  e  E  -F(uj,u*+ 1)  U  E(vi,Vi+ 1)  such  that 
(sj,  Sj+i)  |=  n'(e).  Given  an  edge  e  £  FUF,  we  denote  by  V(e)  the  formula  u{e)  A n(tl(e))  A  fj,'(hd(e)), 
which  denotes  the  state  transitions  that  can  occur  when  edge  e  is  traversed.  The  computations  of 
a  diagram  are  defined  in  terms  of  its  accepting  runs. 

Definition  1  (accepting  runs)  A  run  a  :  (vq,so),  (iq,si),  (v2,S2),---  of  a  diagram  A  is  an 
accepting  run  if,  for  each  constraint  (J,C,G)  E  J7,  if  there  is  n  >  0  such  that  st  |=  J{vt)  for  all 

i  >  n  and  s,  |=  C(vi )  for  infinitely  many  i  >  0,  then  there  are  infinitely  many  j  >  0  such  that 

3 r  E  G(vj,Vj+i)  .  (sj,Sj+ 1)  |=  pT.  If  a  :  (vq,  so),  (^i,  si),  (^2,  $2),  ■  ■  ■  is  an  accepting  run  of  A,  the 
sequence  of  states  so,  si,  S2,  •  •  •  is  a  computation  of  A.  We  denote  by  Runs(A)1  C{A)  the  sets  of 
accepting  runs  and  computations  of  A,  respectively.  I 

4  The  Structure  of  Proofs 

Given  a  TS  S  and  a  specification  (f)  E  TLSl  a  proof  of  S  (=  f  consists  of  a  directed  acyclic  graph 
(dag)  whose  nodes  are  labeled  with  diagrams.  The  diagrams  labeling  the  roots  of  the  dag  are 
obtained  from  S  and  fr.  the  diagrams  labeling  the  non-root  nodes  of  the  dag  are  obtained  using 
diagram  transformation  rules  that  will  be  discussed  in  detail  in  the  next  section. 

Definition  2  (proof  dag)  Given  a  transition  system  S  =  (V,  T,  ©,  J,  C )  and  a  formula  f  E  TLSl 
a  proof  dag  for  S  and  f  is  a  directed  acyclic  graph  (dag)  I),  in  which  every  node  d  E  D  is  labeled 
with  a  diagram  Ad.  Dag  D  has  two  root  nodes,  labeled  with  diagrams  A(-uf).  S)  and  A(S):  every 
non- root  node  d  E  D  has  either  one  or  two  parents.  If  d  has  a  single  parent  d' .  then  Ad  has  been 
obtained  from  A#  by  one  application  of  a  transformation  rule;  if  d  has  two  parents  do,  d\,  then 
Ad  =  Ado  <g)  Adl ,  where  <8  is  the  diagram  composition  operator.  I 

The  diagrams  labeling  the  roots  of  the  proof  dag  are  constructed  as  follows. 

Construction  1  (A(S))  The  diagram  A(S)  =  ( U ,  V,  {no},  {/o},  0,  A*,  9,  v,  tr,  0)  consists  of  a  single 
vertex  no  with  one  self-loop  system  edge  /o .  The  vertex  and  edge  labels  are  defined  by  nivo)  =  true, 
9(v0)  =  ©,  v(fo)  =  true,  tr(e0)  =T.  I 

Construction  2  (A(-Kf>,  S))  Let  be  the  (first-order)  Streett  automaton  that  accepts  all  the 
state  sequences  that  do  not  satisfy  (f>  [Saf88].  The  automaton  consists  of  the  components 
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(V,  (V,  F),n,  Q,  A),  where  V,  p  are  as  in  a  diagram;  (V.  F)  is  a  directed  graph;  Q  C  V  is  the  set  of 
initial  vertices ,  and  A,  called  the  acceptance  list ,  is  a  set  of  pairs  (P,  R )  :  P,  P  Cf. 

From  TV-,0  we  construct  A(-up,S)  =  (V,  V,  P,  0,  /u,  0,  fr,  P),  where  ^(e)  =  true,  fr(e)  =  T  for 
e  E  P,  #(u)  =  @  for  u  E  Q,  and  #(u)  =  false  for  v  E  V  —  Q.  For  each  (P,  P)  E  *4,  there  is  a 
constraint  ( J,  G,  G)  E  F  defined  by  J(v)  =  true ,  if  u  E  H  —  P  then  C(u)  =  true  else  C{v )  =  false, 
and  if  hd(e)  E  P  then  G(e)  =  P  else  G(e)  =  0,  for  all  u  E  G  and  e  E  P.  I 

Due  to  the  granularity  of  the  acceptance  condition  of  A(-np,  S),  we  do  not  necessarily  have 
C{N-:(p)  =  jC(A(-^(j).  S')).  However,  the  following  lemma  suffices  for  our  purposes. 

Lemma  1  £(S)  n  C(A(-uf,  S ))  =  {cu  E  £(5)  |  u  <f>}. 

The  aim  of  the  construction  of  the  proof  dag  is  to  obtain  a  leaf  labeled  with  a  diagram  that  can 
be  algorithmically  shown  to  have  empty  language,  indicating  that  all  computations  of  S  satisfy  (f>. 
The  algorithm  for  language  emptiness  relies  on  a  terminating  proof  procedure  b  for  the  first-order 
language  used  in  the  specification  and  in  the  labels  of  the  diagram.  Given  a  first-order  formula  if, 
we  write  3  ip,  \f  ip  depending  on  whether  b  terminates  with  or  without  a  proof  of  ip,  respectively. 
We  assume  that  the  procedure  b  is  at  least  able  to  prove  the  validity  of  all  substitution  instances  of 
propositional  tautologies.  The  check  for  language  emptiness  is  based  on  an  analysis  of  the  strongly 
connected  components  (SCCs)  of  the  graph  underlying  the  diagram. 

Definition  3  (persistent  and  non-persistent  SCCs)  Given  a  diagram  A ,  we  say  that  a 
strongly  connected  component  U  of  the  graph  ( Va,Fa  U  E a)  is  non-persistent  if  there  is  a  con¬ 
straint  ( J,  G,  G)  E  Fa  such  that  the  following  conditions  hold: 

Vu  E  U  .  b  n(v)  — >■  J(v)  3 v  E  U  .  b  p(v)  — >  C(v)  Ve  E  F  .  G(e)  =  0  . 

Otherwise,  we  say  that  U  is  persistent.  I 

The  set  of  vertices  that  appear  infinitely  often  along  any  accepting  run  of  a  diagram  must  be  a 
persistent  SCC.  Thus,  we  have  the  following  criterion  for  language  emptiness  [dAM96,  SUM96]. 

Theorem  1  If  all  the  SCCs  of  a  diagram  A  are  non-persistent,  then  C{A)  =  0. 

Definition  4  (proof  of  S  \=  <p)  A  dag  D  for  S  and  (p  is  a  proof  of  S  |=  (p  if  there  is  a  leaf  l  E  D 
such  that  Ua1  =  T  and  Theorem  1  can  show  that  C(A(l))  =0.  I 

Since  diagram  A(S)  can  be  obtained  from  A(-up,  S)  by  means  of  transformation  rules,  it  would 
be  sufficient  to  consider  dags  with  only  the  root  A(-ap ,  S).  However,  it  is  convenient  to  have  A{S) 
as  alternate  root,  since  it  enables  the  study  of  the  system  starting  from  a  simpler  diagram  that  is 
independent  of  the  specification.  The  soundness  of  the  methodology  is  expressed  by  the  theorem 
below,  discussed  in  the  appendix. 

Theorem  2  If  there  is  a  dag  D  which  is  a  proof  of  S  \=  (p,  then  S  |=  <p  holds. 

Examples  of  Proof  Dags 

In  the  following,  we  present  some  examples  of  proof  dags  for  a  transition  system  S  and  a  specifi¬ 
cation  (p.  Each  dag  exemplifies  a  different  proof  style,  underlining  the  flexibility  that  the  modular 
decomposition  and  composition  lend  to  the  methodology.  In  the  dags,  thin  lines  indicate  the  appli¬ 
cation  of  at  most  one  transformation  rule,  thick  lines  indicate  the  application  of  zero  or  more  rules; 
we  assume  that  the  rightmost  diagram  has  U  =\calt  and  can  be  shown  to  have  empty  language 
using  Theorem  1. 
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4.1  The  system-analysis  style. 


A<S>  - - ►  Ai'-^ 

®  — ►  A? 

A<—ity,S>  _ X 

This  first  dag  corresponds  to  the  proof  style  proposed  in  [dAM96,  dAKM97].  In  this  style, 
the  root  diagram  A(S)  is  studied  by  means  of  successive  transformations,  until  the  product  of  the 
resulting  diagram  with  A(-i<j),  S)  has  empty  language. 

4.2  The  deductive  model-checking  style. 

A<S> 

A<—ify,S>  - A  j 

This  dag  corresponds  to  the  proof  style  proposed  in  [SUM96].  In  this  style,  the  diagram  A(-i<j),  S) 
is  studied  by  means  of  successive  transformations  until  it  can  be  shown  to  have  empty  language. 


4.3  The  modular  deductive  model-checking  style. 


A<S> 
A<  ~ i  (])  ,S> 


A  11 
A2 1 


A3  ►  A  4 


This  dag  corresponds  to  a  modular  version  of  the  proof  style  proposed  in  [SUM96].  In  this 
style,  the  diagram  A(-«fi,S)  is  decomposed  into  the  two  diagrams  An,  A2i,  each  corresponding 
to  a  module  of  S.  These  diagrams  are  then  first  studied  in  isolation  (leading  to  Ai2,  A22),  and 
then  composed  into  a  joint  diagram  A3.  This  diagram  is  then  subject  to  transformations,  until  the 
resulting  diagram  A4  can  be  shown  to  have  empty  language. 


4.4  A  system-analysis  and  model-checking  modular  style. 

a"11 

A<S> 

A  21 

A<  ~ i(j),S>  - 

This  dag  illustrates  a  proof  in  which  the  diagram  A(S)  for  the  TS  S  is  first  studied  by  means 
of  modular  decomposition,  leading  to  the  two  diagrams  An  and  A2i.  These  diagrams  are  studied, 
leading  to  diagrams  A2i  and  A22,  which  are  then  combined  into  diagram  A3.  Then,  diagram  A3 
is  combined  with  A(- up,  S),  and  from  this  point  on  the  proof  proceeds  as  in  the  deductive  model¬ 
checking  approach.  Diagrams  for  more  complex  proof  structures  can  be  drawn  in  similar  ways. 


-  A 


12 


X 


-  A 


22 


X 
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5  Diagram  Transformations 


The  transformation  rules  enable  the  analysis  of  the  temporal  properties  of  diagrams  and  the  mod¬ 
ular  decomposition  of  the  system.  There  are  four  classes  of  rules:  modular  rules  split  modules  into 
submodules,  safety  and  progress  rules  study  the  safety  and  progress  properties  of  diagrams,  and 
simplification  rules  simplify  the  structure  of  diagrams.  While  some  rules  can  be  applied  without 
preconditions,  others  require  the  proof  of  first-order  verification  conditions.  The  diagram  composi¬ 
tion  operator,  based  on  a  special  type  of  synchronous  composition,  is  used  to  combine  diagrams  for 
different  submodules  of  a  system.  It  can  also  be  used  for  proof  reuse  and  backtracking,  but  such 
uses  are  beyond  the  scope  of  this  paper.  Due  to  space  constraints,  we  present  in  detail  only  one  rule 
for  modular  decomposition  and  the  composition  operator  <8;  discussing  only  the  general  features 
of  the  other  classes  of  rules.  The  definitions  of  additional  rules  can  be  found  in  the  appendix. 

Modular  rules.  The  rule  below  is  used  to  perform  modular  decomposition:  given  a  diagram  A 
that  studies  U  C  T  and  given  7Z  C  U.  the  rule  produces  a  diagram  for  the  subset  1Z  of  transitions. 
An  additional  rule,  not  discussed  in  this  paper,  enables  the  introduction  of  auxiliary  variables. 

Module  split  rule.  Given  a  proper  non-empty  subset  1Z  C  U  of  the  transitions  of  diagram  A,  the 
diagram  module-split(A ,  7Z)  is  obtained  by  restricting  U  to  77.  and  by  splitting  each  edge  e  E  F  into 
two  new  edges  e\  E  F,  62  E  E  with  labels  tr(e  1)  =  tr(e)  fl  77,  tr{e 2)  =  T  —  77,  n(ei)  =  vfa)  =  i'(e). 
Each  time  an  edge  e  is  split  into  e\  and  e2,  all  the  constraints  ( J.  C,  G )  such  that  G(e)  <2  1Z  are 
dropped  from  the  fairness  set  of  the  diagram. 

Safety  rules.  There  are  two  types  of  safety  rules:  the  rules  that  strengthen  the  vertex  or  edge 
labels,  and  the  rules  that  split  vertices  and  edges  into  new  vertices  and  edges.  The  application 
of  rules  of  the  first  type  corresponds  to  the  proof  of  inductive  invariants,  obtained  for  example 
using  the  methods  of  [BBM97].  Strengthening  the  vertex  labels  automatically  strengthens  the 
environment  by  restricting  the  admissible  environment  transitions.  An  additional  rule  enables  the 
arbitrary  strengthening  (and  pruning)  of  environment  edges,  in  preparation  to  the  application  of 
progress  rules. 

Progress  rules.  The  progress  rules  derive  new  progress  properties  about  the  diagrams,  and 
represent  them  as  fairness  constraints  that  are  then  added  to  the  diagrams;  they  are  obtained 
by  adapting  the  rules  of  [dAM96]  to  the  notation  used  in  this  paper.  Since  the  rules  do  not 
distinguish  between  system  and  environment  edges,  a  fairness  constraint  can  be  proved  only  if  it  is 
compatible  with  the  environment:  hence  the  need  for  the  previously  mentioned  rule  to  strengthen 
the  environment. 

Simplification  rules.  The  simplification  rules  enable  the  weakening  of  the  labels  of  vertices  and 
system  edges,  and  the  merging  of  sets  of  vertices  and  edges.  The  purpose  of  these  rules  is  to 
summarize  and  simplify  portions  of  diagrams  that  have  already  been  analyzed. 

In  order  to  preserve  soundness,  the  simplification  rules  never  weaken  the  labels  of  environment 
edges.  To  understand  the  reason,  consider  as  an  example  an  application  of  a  safety  rule  that  over¬ 
strengthens  the  vertex  labels,  causing  the  pruning  of  a  portion  of  the  diagram  that  in  fact  was 
reachable  by  a  computation  of  the  TS  S.  In  this  case,  the  application  of  the  rule  generates  an 
environment  that  is  too  restrictive  to  account  for  all  the  possible  transitions  of  the  other  modules. 
Since  the  environment  assumptions  will  not  be  weakened,  when  a  descendant  of  the  diagram  is 
composed  with  the  diagrams  for  the  other  modules,  some  transitions  of  these  diagrams  will  not 
satisfy  the  environment  assumptions,  and  the  composition  operator  <8  will  create  edges  to  a  “sink” 
vertex.  The  computations  of  S  that  are  excluded  by  the  diagram  strengthening  will  then  be 
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represented  by  transitions  to  the  sink  vertex,  thus  preserving  computations  of  S'.  A  similar  argument 
can  be  made  for  rules  that  add  progress  constraints  by  relying  on  an  improperly  strengthened 
environment. 

Composition  operator.  Given  two  diagrams  A,  B ,  the  composition  operator  <g>  combines  them 
into  a  diagram  C  =  A®  B  that  corresponds  to  the  synchronous  composition  of  A  and  B,  with  one 
additional  “sink”  node.  All  the  state  changes  of  A  (resp.  B)  that  are  due  to  transitions  in  Ua  —  Ub 
(resp.  Ub  —  Ua)  but  are  not  accounted  for  by  the  environment  of  B  (resp.  A)  give  rise  to  transitions 
leading  to  the  sink  node,  preserving  the  computations  that  would  otherwise  be  excluded.  Diagram 
C  =  A  <g>  B  is  defined  as  follows: 

1.  Uc  —  Ua  U  Ub- 

2.  Vc  =  {v*}  U  {('ti,u)  |  u  E  Va  A  v  E  VgA  1 /  -|[/r(ii)  A  g(v)]},  where  v*  is  a  new  vertex  used  as 
“sink”  for  the  computations  of  one  diagram  that  do  not  match  with  the  environment  of  the  other 
diagram.  For  all  (u,v)  E  Vc,  we  let  gc{u,v)  =  ha(u)  A Hb{v)  and  9c{u,v)  =  Oa{u)  A Ob{v)]  for 
the  sink  node,  nc(v*)  =  true ,  Oc(v*)  =  false. 

3.  Initially,  the  sets  Fq  and  Eq  contain  only  two  edges  /*,e*,  respectively,  that  are  self- loops 
for  the  sink  vertex  v*.  These  edges  are  labeled  by  u (_:{<-*)  =  vc{f*)  =  true ,  tr(f*)  =  Uc-, 
tr(e*)  =  T  —  Uc-  Then,  additional  edges  are  added  in  two  steps. 

(a)  First  we  add  the  “good”  edges,  representing  synchronous  steps  of  the  two  diagrams.  Con¬ 
sider  all  pairs  of  vertices  (u,  v),  (u',  v')  E  Vc-  For  each  e  E  Fa{u,u')  U  Ea{u,  u')  and 
/  E  Fb{v,v')  U  Eb(v,v'),  if  trA(e)  PI  trs{f )  /  0  and  I /  -i[i^(e)  A  i'b(Z)],  we  construct  an 
edge  g  from  ( u ,  v)  to  (u1,  v'),  labeled  by  vc{g)  =  v A{e )  A  ^b(/)  and  trc{g)  =  trA(e)  fl  trs{f)- 
If  e  E  Ea  and  /  E  Eb,  we  insert  g  in  Ec ;  otherwise  we  insert  it  in  Fc- 

(b)  Next,  if  an  edge  allows  transitions  violating  the  environment  of  the  other  diagram,  we 
construct  an  edge  to  the  sink  node. 

Consider  all  vertices  (u,v)  E  Vc-  For  each  edge  e  E  Fa{u)  such  that  ir^(e)  2  we 
check  whether  F  [^(e)  A  Hb(v)\  — >  V feEB(v)  ^ b{I )•  If  the  implication  cannot  be  proved, 
we  add  to  Fc  an  edge  g  from  (u,v)  to  v*,  labeled  by  r'cid)  =  F/l(e)  A  -i  V f<EEB(v)  Fb(/)5, 
trc(g)  =  trA(e)  —  Ub-  We  then  perform  the  symmetrical  check  for  each  /  E  F/j(v).  adding 
an  edge  from  v  to  v*  if  the  corresponding  implication  cannot  be  proved. 

4.  For  each  constraint  ( J,  (7,  G)  E  Fa-  we  insert  in  Fc  the  constraint  ( J,  C.  G)  defined  by: 

(a)  J(v*)  =  C(v*)  =  false,  and  for  all  u  E  Va,  v  E  Vb,  J(u,v )  =  J(u),  C(u,v )  =  C(u) 

(b)  For  each  edge  g  E  Fc  generated  from  e  E  Fa  as  in  Step  1,  let  G(g)  =  G(e)  fl  tr(g). 

We  then  perform  the  symmetrical  step  for  each  constraint  ( J,  C,  G)  E  Fb- 

6  Demarcation  Protocol:  Diagram  Proof 

To  prove  that  the  demarcation  protocol  shown  in  Figure  1  satisfies  :  □(:/;  <  xi  <  yi  <  y)  we 
construct  the  two  roots  A(Sd)  and  A(-up,Sd)  of  the  proof  dag.  The  communication  structure  of 
the  program  suggests  to  decompose  the  system  into  two  modules  consisting  of  Requestor \Grantor 2 
(R1G2)  and  Requestor-iGrantorx  (R2G1)]  the  proof  will  follow  the  style  depicted  in  Section  4.4. 

First,  we  apply  the  decomposition  rule  twice  to  A(Sd),  once  with  1Z  =  {-^o...75 ^o...3 ,idle},  and 
another  time  with  1Z  equal  to  the  remaining  transitions,  obtaining  diagrams  An  and  A 21. 

We  want  to  show  that  the  module  corresponding  to  diagram  An  maintains  x  <  xi-  The  only 
statement  that  may  potentially  violate  this  is  R;-  thus,  we  require  atJ q  — >  xg  >  0.  Note  that  712 
cannot  violate  x  <  xi  due  to  its  guard  and  the  atomicity  of  the  grouped  statement.  Performing 
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backpropagation  based  on  af_4  — >  xg  >  0,  following  the  methods  described  in  [BBM97],  and 
splitting  and  strengthening  the  vertices  accordingly,  we  obtain  the  diagram  shown  in  Figure  2. 


tr  :  {4} 


Figure  2:  Diagram  for  module  R[  6' 2 

To  reduce  cluttering,  environment  edges  have  been  omitted.  However,  each  vertex  has  an 
environment  edge  connecting  it  to  itself,  labeled  by  tr  :  {&0...7,  mo.. .3}.  The  /^-labeling  of  the  system 
edges  consists  of  the  disjunction  of  the  transition  relations  associated  with  the  transitions  in  tr;  the 
v  labeling  of  the  environment  edges  is  identically  equal  to  true.  The  labeling  9  is  equal  to  0  on  the 
first  vertex  of  the  diagram,  and  is  false  on  the  other  ones.  The  fairness  set  J~  is  empty. 

The  environment  assumptions  are  encoded  by  the  F-formulas  associated  with  the  environment 
edges:  for  example,  the  assumption  corresponding  to  the  second  vertex  is  given  by 

(at_4,4  A  ax  ^  xw  >  xi)  — >  {at'  A  a'x  — >  x'w  >  x\)  . 

The  second  property  we  want  to  analyze  for  this  module  is  □(,7y  <  yi ).  This  may  be  falsified 
by  statements  n 2  and  again  4-  Thus  we  require  aim 2  — >•  >  0  and  ai_4  — >  xi  +  xg  <  yi.  These 

assertions  can  be  added  to  the  vertices  of  the  diagram  shown  in  Figure  2  by  application  of  the 
safety  rules  without  the  need  for  further  splitting  of  vertices;  the  diagram  obtained  corresponds  to 
diagram  A12  of  Section  4.4. 

After  performing  a  similar  analysis  for  the  module  -R2G1,  obtaining  diagram  A22,  we  compose 
the  two  resulting  diagrams  obtaining  diagram  A3  =  A 1 2  ®  A-22-  The  edges  leading  to  the  “sink” 
vertex  of  A3  are  labeled  by  false,  so  that  the  sink  vertex  is  unreachable  and  can  be  eliminated. 
Note  that  only  the  transition  relation  of  the  environment  edge  of  the  second  vertex  of  A12  (resp. 
A22)  has  to  be  validated  against  its  environment,  since  the  assertions  labeling  the  other  vertices 
only  refer  to  variables  local  to  R1G2  (resp.  R2G1),  and  thus  cannot  be  falsified  by  other  modules; 
on  the  other  hand,  xi  and  yi  are  not  local  to  the  modules. 
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A  final  composition  of  this  diagram  with  A(- k/>)  leads  then  to  diagram  A4,  which  can  be  shown 
to  have  empty  language  by  Theorem  1. 

By  comparison,  the  proof  of  this  property  using  non-modular  verification  diagrams  requires  the 
input  of  a  diagram  with  many  more  vertices,  labeled  with  complex  assertions. 

7  Completeness  Results  and  Guidance 

The  completeness  of  the  methodology  presented  in  this  paper  follows  easily  from  an  analysis  of 
the  completeness  proof  for  the  diagram  transformation  methodology  of  [dAM96].  In  fact,  the 
completeness  proof  for  the  methodology  of  [dAM96]  is  based  on  the  construction  of  a  chain  of 
diagram  transformations  that  proves  the  property;  the  construction  of  this  chain  can  be  easily 
recast  as  the  construction  of  a  non-modular  proof  dag.  We  can  thus  state  the  following  theorem. 

Theorem  3  (completeness)  For  a  TS  S  and  (f>  E  TLS,  if  S  \=  (f>  then  there  is  a  dag  D  that  is  a 
proof  of  S\=  <f>. 

Guidance  in  constructing  the  proof  can  be  obtained  in  several  ways,  depending  on  the  position 
of  the  diagram  A  under  study  in  the  proof  dag.  If  the  only  root  ancestor  of  A  is  A (S),  it  is  possible 
to  obtain  guidance  by  computing  the  product  A  <S>  A(- «f>,  S):  the  projection  of  the  persistent  SCCs 
of  the  product  back  onto  A  gives  an  indication  of  the  components  of  A  that  have  to  be  shown  either 
unreachable  or  non-persistent  [dAM96,  dAKM97]. 

If  the  root  ancestors  of  A  include  A{-i(f>,  S),  then  attention  can  be  focused  on  the  persistent  SCSs 
of  A ;  all  of  these  have  to  be  shown  to  be  unreachable,  or  have  to  be  broken  or  shown  non-persistent 
by  the  addition  of  progress  constraints  [SUM96]. 

When  analyzing  a  diagram  for  a  subsystem,  a  <g>  product  with  a  diagram  for  the  rest  of  the 
system  will  tell  whether  the  environment  assumptions  are  satisfied  by  the  rest  of  the  system.  In 
case  sink  edges  are  created,  the  assumption  were  too  restrictive:  the  source  vertex  and  the  transi¬ 
tion  relation  of  the  sink  edge  give  information  about  the  improper  restriction  of  the  environment 
assumptions. 

References 

[AL90]  M.  Abadi  and  L.  Lamport.  Composing  specifications.  In  Stepwise  Refinement  of  Distributed 
Systems:  Models,  Formalism,  Correctness,  volume  430  of  LNCS,  pages  1-41.  Springer- Verlag, 
1990. 

[BBM97]  N.S.  Bjprner,  A.  Browne,  and  Z.  Manna.  Automatic  generation  of  invariants  and  intermediate 
assertions.  Theor.  Comp.  Sci.,  1997.  To  appear. 

[BGM92]  D.  Barbara  and  H.  Garcia-Molina.  The  demarcation  protocol:  A  technique  for  maintaining  linear 
arithmetic  constraints  in  distributed  database  systems.  In  Advances  in  Database  Technology  - 
3rd  Int.  Conf.  on  Extending  Database  Technology,  pages  373-388.  Springer- Verlag,  1992. 

[BMS95]  A.  Browne,  Z.  Manna,  and  H.B.  Sipma.  Generalized  verification  diagrams.  In  15th  Conference 
on  the  Foundations  of  Software  Technology  and  Theoretical  Computer  Science,  volume  1026  of 
LNCS,  pages  484-498,  1995. 

[dAKM97]  L.  de  Alfaro,  A.  Kapur,  and  Z.  Manna.  Hybrid  diagrams:  A  deductive-algorithmic  approach 
to  hybrid  system  verification.  In  14th  Symposium  on  Theoretical  Aspects  of  Computer  Science, 
February  1997. 

[dAM96]  L.  de  Alfaro  and  Z.  Manna.  Temporal  verification  by  diagram  transformations.  In  Proc.  8th  Inti. 

Conference  on  Computer  Aided  Verification,  volume  1102  of  LNCS,  pages  287-299,  July  1996. 


10 


[GL94] 

[Lam94] 

[MP91] 

[MP94] 

[Sa£88] 

[SUM96] 


O.  Grumberg  and  D.E.  Long.  Model  checking  and  modular  verification.  ACM  Trans.  Prog.  Lang. 
Sys.,  16(3):843-871,  May  1994. 

L.  Lamport.  TLA  in  pictures.  Technical  Report  127,  Digital  Equipment  Corporation,  Systems 
Research  Center,  September  1994. 

Z.  Manna  and  A.  Pnueli.  The  Temporal  Logic  of  Reactive  and  Concurrent  Systems:  Specification. 
Springer- Verlag,  New  York,  1991. 

Z.  Manna  and  A.  Pnueli.  Temporal  verification  diagrams.  In  Proc.  Int.  Symp.  on  Theoretical 
Aspects  of  Computer  Software,  volume  789  of  LNCS ,  pages  726-765.  Springer- Verlag,  1994. 

S.  Safra.  On  the  complexity  of  cu-automata.  In  Proc.  29th  IEEE  Symp.  Found,  of  Comp.  Sci., 
pages  319-327,  1988.  An  extended  version  to  appear  in  J.  Comp.  Sys.  Sci. 

H.B.  Sipma,  T.E.  Uribe,  and  Z.  Manna.  Deductive  model  checking.  In  Proc.  8th  Inti.  Conference 
on  Computer  Aided  Verification,  volume  1102  of  LNCS,  pages  208-219.  Springer- Verlag,  1996. 


11 


Appendix 


A  Diagram  Transformation  Rules 

Below,  we  present  several  diagram  transformation  rules.  We  have  included  all  the  safety  rules 
needed  to  complete  the  proof  of  the  demarcation  protocol.  Moreover,  we  present  the  only  (elemen¬ 
tary)  progress  rule  original  from  this  paper,  and  we  indicate  how  to  adapt  the  rules  of  [dAM96]  to 
the  present  notation. 

In  the  presentation  of  the  transformation  rules,  we  let  A  =  (U,  V,  V.  F ,  E,  p,  9,  v,  tr,  F) 
be  the  diagram  to  be  transformed.  Moreover,  we  adopt  the  following  convention  to  describe  the 
modification  of  diagram  components.  Given  a  mapping  r\  :  C  i->  D  and  two  elements  a,  b  with 
b  E  D,  we  define  the  result  of  updating  g  by  g(a)  :=  b  to  be  the  mapping  g*  :  C  U  {a}  D  such 
that  g*(a)  =  6,  and  g*(x)  =  g(x)  for  x  E  C  —  {a}. 

Once  a  transformation  rule  has  been  applied,  yielding  a  diagram  D.  we  remove  all  the  vertices 
v  E  V*  such  that  Hb{v)  =  false ,  along  with  all  the  edges  originating  from  and  leading  to  these 
vertices.  Next,  we  remove  all  edges  e  E  Eb  U  Fb  such  that  either  i'e(e)  =  false  or  trs(e)  =  0.  Last, 
we  remove  from  the  diagram  all  the  vertices  that  are  not  reachable  in  the  graph  (Vb,Eb  U  Fb) 
from  some  vertex  u  with  9b(u )  A  Pb{u)  satisfiable. 

A.l  Safety  Rules 

Rule  1  (vertex  strengthen)  Let  V  =  {vi,  V‘2, . . . ,  vm},  and  consider  a  list  of  formulas 
(j)  1,  (f> 2, . . . ,  4>m  £  form(V).  Assume  that  the  implication  (9(vi)  A  p(vi))  — >  fa  and  (fa  A  F(e))  — >•  faj 
holds  for  all  1  <  i,j  <  m  and  all  e  E  F(vi,Vj).  Then,  the  diagram  v-streng(A1  fa, . . . ,  (f>m)  is 
obtained  by  updating  pfai)  :=  pfai )  A  fa ,  9(vi)  :=  9(vi)  A  fa,  for  1  <  i  <  m.  I 

Rule  2  (system-edge  strengthen)  Given  e  E  F,  the  diagram  se-streng(A ,  e)  is  obtained  by 
updating  v(e)  :=  V(e)  A  VTetr(e)  Pr-  ■ 

The  following  rule  enables  the  arbitrary  strengthening  (and  pruning)  of  environment  edges. 

Rule  3  (environment-edge  strengthen)  Given  e  E  F  and  (f)  E  form(V ,Vr),  the  diagram 
ee-streng(A,  e,  fa)  is  obtained  by  updating  v(e)  :=  v(e)  A  <fi.  I 

Rule  4  (drop  edge  label)  Given  e  E  F  and  r  E  tr(e ),  assume  that  pT  A  v(e)  =  false.  Then, 
the  diagram  drop-label(A,  e,  r)  is  obtained  by  updating  tr(e)  :=  tr(e)  —  {r},  and  by  updating  every 
constraint  ( J,C,G )  by  G(e)  :=  G(e)  —  {r}.  I 

Rule  5  (vertex  split)  Given  v  E  V  and  (/>  E  formfV ),  the  diagram  v-split(A,v ,  fa)  is  obtained  by 
replacing  the  vertex  v  of  A  with  two  new  vertices  v-2 ,  with  labels  p(vi)  =  p(v)  A  p(v2)  = 
p(v)  A  -of).  Then,  we  replace  each  edge  e  E  E(v,v)  U  F(v,v)  with  four  new  edges  {e«j}»;,je{i,2}: 
where  edge  el3  leads  from  vt  to  v3 .  and  we  add  these  edges  to  E  if  e  E  E  and  to  F  is  e  E  F.  We 
replace  each  edge  e  E  E  U  F  leading  to  v  with  two  new  edges  e\ ,  e2  leading  to  v\ ,  respectively. 
We  replace  each  edge  e  E  E(v)  IJf(t;)  with  two  new  edges  e\,  e2  departing  from  v,\  ,  v?  respectively. 
The  new  edges  have  the  same  labels  as  the  edges  they  replace.  Finally,  we  update  each  constraint 
( J,C,G )  by  J(v  1)  :=  J(v ),  J(v 2)  :=  J(v ),  C(v  1)  :=  C(v ),  C(v 2)  :=  C(v).  If  edge  /  has  replaced 
edge  e,  we  update  G(/)  :=  G(e).  I 
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A. 2  Progress  Rules 

Our  first  progress  rule  is  used  to  add  fairness  constraints  that  represent  the  fairness  of  the  transitions 
of  the  original  transition  system. 

Rule  6  (add  constraints  from  TS)  Let  t  Eli  be  a  just  (resp.  compassionate)  transition  of 
the  TS  S.  The  diagram  a dd-co n s t ra % n t{ A.  r)  is  obtained  from  A  by  adding  the  constraint  ( J,  G,  G) 
defined  by  J(v)  =  En(r)  (resp.  J(v)  =  true )  if  t  E  J  (resp.  t  E  C),  C(v)  =  En (r),  and  G(e)  = 
tr(e )  0  {t}  for  all  v  E  V  and  e  E  F.  I 

Once  the  fairness  of  the  transitions  is  represented  by  fairness  constraints,  other  progress  rules 
are  used  to  reason  on  these  constraints  and  obtain  new  constraints,  that  are  added  to  the  diagram. 
These  rules  are  obtained  by  adapting  the  progress  rules  of  [dAM96]  to  the  notation  of  this  paper. 
As  an  example,  we  give  below  the  adapted  version  of  the  rule  that  derives  new  constraints  from 
the  concatenation  of  already  existing  ones. 

Rule  7  (concatenation  of  constraints)  Given  a  diagram  A  and  a  constraint  (J,  G,  G),  assume 
that  there  is  a  constraint  (Jo,  Go,  Go)  E  T  with  (Jo(u)  A  n(u))  — »  J(u)  for  all  u  E  V  and  a  ranking 
function  S  such  that  the  following  implications  are  valid. 

1.  For  all  u,v  EV  and  e  E  F(u,v)  U  E(u,v ), 

J{u)  A  P(e)  -A 

J(u)  A  P(e)  A  \J  pT  — > 

reGo(e) 

with  the  convention  that  G(e)  =  0  for  e  E  E. 

2.  Either  (C(u)  A  ju(u))  — »  Cq{u)  for  all  u  E  V,  or  there  is  (Jl,Gi,Gi)  E  T  such  that  for  all 
«,«Ef,  the  implications 


-i  J'{v)  V  5(u)  >  5'(v)  V  \/  tJr 

reG(e) 

-I  J'{v)  V  5(u)  >  6'(v)  V  \J  pT  , 

r£G(e) 


J(u)  A  n(u) 
C(u )  A  n(u) 

J(u )  A  P(e)  A  V  Pr 

rEGi(e) 


Jl(u)  V  Jo  (it) 

Gi(u)  VG0(u) 

-1 J'(v )  V  Cq(v)  V  \J  Pr 
rEG(e) 


are  valid  for  all  e  E  F(u,v)  U  E(u,v). 

Then,  diagram  conc-cons(A ,  ( J,  G,  G))  is  obtained  by  adding  the  constraint  ( J,  G,  G)  to  the  fairness 
set  of  diagram  A.  I 


B  Soundness  of  the  Methodology 

Differently  from  [dAM96],  the  diagram  transformations  we  present  do  not  preserve  language  con¬ 
tainment,  since  it  is  possible  to  strengthen  arbitrarily  the  transition  formulas  labeling  the  environ¬ 
ment  edges.  The  lemma  below  provides  a  characterization  of  the  language  of  diagrams  in  the  proof 
dag.  In  the  lemma,  we  denote  by  a  the  sequence  of  states  corresponding  to  a  run  a  (which  can  be 
accepting  or  not  accepting).  The  lemma  can  be  proved  by  induction  on  the  structure  of  the  dag, 
using  the  definitions  of  the  transformation  rules  and  the  composition  operator;  the  proof  has  been 
omitted  due  to  its  length. 
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Lemma  2  Given  a  proof  dag  D  for  a  TS  S,  let  Dq  be  the  set  of  nodes  that  have  A(S )  as  unique 
root  ancestor,  and  let  D\  be  the  set  of  nodes  that  have  A(-uj),  S)  among  the  root  ancestors.  Then, 
for  A  E  {Ad  |  d  E  L>o}  (resp.  A  E  {Ad  \  d  E  D{\)  there  is  a  function  Aq  (resp.  Af)  that  maps  the 
accepting  runs  {o  E  Runs(A(S))  \  o  E  i2(*S') }  (resp.  {o  E  Runs(A(-up,  S))  \  o  E  £(S')}J  into  runs 
(not  necessarily  accepting)  or  run  prefixes  of  A.  For  i  =  0,1,  these  functions  have  the  following 
properties: 

Faithfulness.  For  o'  =  Af{o),  if  o'  is  infinite  then  o'  =  o,  otherwise  o'  is  a  prefix  of  o. 

Termination.  If  o'  =  Af{o)  is  finite,  let  (v,s),(v',s')  be  the  first  step  of  o  that  does  not  have  a 
correspondent  in  o' ,  and  let  ( u,s )  be  the  last  location  of  o' .  Then,  for  all  t  eT ,  if  (s,s')  |=  r 
then  t  0  Ua,  so  that  the  missing  step  in  A  is  the  responsibility  of  the  environment.  Moreover, 
( s,s ')  Y1  ua{z)  for  all  e  E  Ea{u),  indicating  that  o'  cannot  be  extended  due  to  the  (excessive) 
strengthening  of  the  environment  of  A. 

Progress.  If  o'  =  Af{o)  is  infinite,  then  o'  is  also  accepting.  I 

As  a  consequence  of  this  lemma,  we  have  the  following  result. 

Theorem  4  In  a  proof  dag  D ,  consider  a  node  d  labeled  by  a  diagram  A  with  Ua  =  T.  If  d  has 
A(T)  as  only  root  ancestor,  then  C(S)  C  C{A).  If  A  (-up,  S)  is  among  the  root  ancestors  of  d,  then 
{u>  E  C{S)  \lo^  cf}  CC(A). 

By  the  above  theorem,  if  dag  D  contains  a  node  labeled  with  a  diagram  A  such  that  Ua  =  T  and 
C{A)  =  0,  then  {w  E  C{S)  \  lu  Y=  <P}  =  $■  Theorem  2,  expressing  the  soundness  of  the  methodology, 
follows  as  a  consequence. 
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